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ABSTRACT 

The  HiVe  project  is  an  ambitious  research  programme  aimed  at  providing  DSTO  and  the 
Australian  Defence  Department  with  the  world’s  most  advanced  assurance  tools.  A  key  part 
of  this  is  the  provision  of  advanced  high  assurance  analysis  tools  in  the  form  of  the  HiVe 
Modeller  component. 

Formal  specification  and  system  modelling  activities  in  the  HiVe  Modeller  arc  supported 
through  an  Isabelle/HOL  implementation  of  the  HiVe  Mathematical  Toolkit.  This  report 
describes  support  for  the  Z  Mathematical  Toolkit  within  the  HiVe  Mathematical  Toolkit. 
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Chapter  1 

Introduction 


1.1  The  Z  Toolkit 

The  Z  specification  language  [2]  is  widely  known  and  well  respected  in  the  formal  methods  community. 
Central  to  the  utility  of  Z  is  the  provision  of  a  standard  Mathematical  Toolkit  for  modelling  and  explaining 
common  problems  in  Computer  Science.  So  as  to  maximise  accessiblity  for  this  Z  community,  the  HiVe 
project  has  undertaken  the  formalisation  of  a  super-set  of  the  Z  Mathematical  Toolkit  in  the  Isabelle/HOL 
theorem  proving  environment. 

Although  the  Mathematical  Toolkit  is  canonically  defined  in  the  ISO  Z  Standard  [2],  significant  com¬ 
munities  exist  that  observe  the  definitions  provided  by  Hayes  [1]  and  Spivey  [5].  In  order  to  provide 
the  widest  possible  support  to  the  Z  community,  the  HiVe  Mathematical  Toolkit  includes  coverage  of  all 
three  sources. 

This  paper  describes  the  Z  compatibility  features  of  the  HiVe  Mathematical  Toolkit.  Its  intended  audi¬ 
ence  is  primarily  the  Z  practitioner  wishing  to  make  use  of  the  HiVe  Mathematical  Toolkit  with  minimal 
knowledge  of  the  underlying  Isabelle  environment.  A  more  complete  and  Isabelle-oriented  development 
of  the  HiVe  Mathematical  Toolkit  is  is  given  in  a  separate  paper  [3]. 

The  main  body  of  the  paper  is  devoted  to  discussing  the  HiVe  approach  to  providing  Z  Mathematical 
Toolkit  support  in  the  Isabelle/HOL  environment.  The  appendices  consist  of  a  series  of  reference  pages, 
in  the  style  of  Spivey  [5],  describing  the  supported  features  of  the  Z  Mathematical  Toolkit. 


1.2  Isabelle/HOL  in  brief 

Isabelle/HOL  [4]  provides  a  /.-calculus  based  modelling  and  reasoning  environment,  primarily  aimed  at 
those  familial-  with  the  concepts  and  notations  of  Functional  Programming. 

The  basic  term  constructors  of  Isabelle/HOL  are 

•  free  variables1  (eg.  x,  y,  ...) 

•  constants  (eg.  (op  =),{},...) 

'For  technical  reasons  there  is  a  second  class  of  logical  variables,  but  we  ignore  this  complication  here. 
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•  functional  abstraction  (eg.  (%  x.  x  =  y)2) 

•  function  application  (eg.  f  x  y,  (%  x.  x  =  y)  4, . . . )) 

Isabelle/HOL  olfers  basic  support  for  higher-order  modelling  and  reasoning.  Firstly,  functions  arc  first 
class  objects  so  that  any  term,  including  free  and  bound  variables,  may  be  of  function  type.  Secondly, 
Isabelle/HOL  supports  free  type  variables,  allowing  the  definition  of  type  generic  terms.  Thirdly,  Is¬ 
abelle/HOL  supports  type  classes  (types  of  types)  for  restricting  the  range  of  type  variables  to  types  with 
common  properties  (eg.  those  with  well-defined  orders).  Isabelle/HOL  lacks  support  for  more  advanced 
higher-order  concepts  such  as  type  constructors  as  first  class  objects,  term-dependent  types,  or  existential 
types. 

The  type  constructors  of  Isabelle/HOL  arc 

•  free  type  variables3  (eg  rr,  (3,  ... ) 

•  class-constrained  variables  (eg.  (a:: order),  (a:: {order,  plus}),  . . . ) 

•  type  constructions  (eg.  nat,  (a, J3)fun,  a  set,  ...) 

By  convention,  modelling  in  Isabelle/HOL  proceeds  in  a  naive  declarative  style:  constants  arc  declared 
and  defined  in  terms  of  existing  constants,  then  lemmas  and  theorems  about  them  arc  proved.  For  exam¬ 
ple: 
consts 

myJdentity  ::  (a,  a)  fun 

defs 

my  identity  def:  myJdentity  ==  (%  x.  x) 

lemma 

myJdentity  x  =  x 

by  ( simp  add:  myJdentity_def) 

Declared  constants  may  also  be  provided  with  sophisticated  mathematical  presentations  using  the  syntax 

command. 

syntax  (xsymbols) 

myJdentity  ::  (a,  a)  fun  (i  _  [1000]  999 ) 

lemma 

i(i  x)  =  x 

by  ( simp  add:  myJdentity_def) 

Here  the  token  xsymbols  identifies  the  print  mode  for  the  declared  syntax  and  controls  when  the  Isabelle 
system  uses  this  syntax  in  its  output.  The  actual  syntax  is  declared  at  the  right  end  of  the  declaration: 
the  _  character  is  the  placeholder  for  the  operator  argument;  the  [1000]  parameter  declares  the  argument 
priority;  and  the  999  parameter  declares  the  result  priority. 

2We  adopt  the  basic  ascii  syntax  for  HOL  throughout,  so  as  to  reduce  confusion  with  similar  Z  notation 

3Again  we  ignore  the  complication  of  logical  type  variables. 
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Chapter  2 

The  Z  Expression  Language 


2.1  Z  Expressions  as  HOL  Terms 

In  modelling  the  Z  expression  language,  we  arc  faced  with  the  usual  questions  of  deep  versus  shallow 
embeddings  and  how  deep  to  go.  We  have  little  interest  in  being  able  to  reason  about  the  Z  expression 
language  as  an  entity  and  considerable  interest  in  being  able  to  augment  it  with  the  modelling  capabilities 
of  Isabelle/HOL.  Therefore  a  full  deep  embedding  is  undesirable.  In  fact  we  see  considerable  benefits  in 
making  the  model  as  shallow  as  possible,  including  actually  adopting  existing  HOL  features  where  the 
corresponding  Z  feature  is  similar  in  intent. 

The  Z  expression  language  is  split  strongly  between  predicates  and  (non-predicate)  expressions. 

The  predicate  laguage  is  essentially  identical  in  intent  to  the  HOL  boolean  type  and  its  associated  algebra. 
We  simply  replace  the  predicate  language  with  the  terms  of  the  boolean  type.  Similarly,  we  identify  the 
expression  language  with  the  terms  of  the  respective  HOL  types. 

As  noted  above,  HOL  provides  implementations  of  all  the  basic  Z  type  constructors:  sets,  cross  products, 
numbers,  sequences,  and  bags. 

For  sets  and  cross  products,  we  see  no  practical  distinction  between  HOL  and  Z,  so  we  simply  adopt  the 
HOL  model  for  Z. 

For  sequences  (called  lists  in  HOL)  and  bags  ( multisets  in  HOL)  the  differences  arc  of  a  fundamental 
nature.  In  particular,  Z  sequences  and  bags  arc  graphs  and  users  often  make  use  of  graph  operators 
in  dealing  with  them.  Consequently,  we  felt  it  imperative  to  provide  first-class  Z  implementations  of 
sequences  and  bags. 

In  the  case  of  numbers,  the  collect  path  was  not  so  clear  cut.  HOL  provides  distinct  types  of  naturals, 
integers  and  reals,  whereas  Z  provides  only  the  abstract  type  of  arithos,  with  naturals,  integers  and 
reals  (if  adopted)  as  subsets  of  arithos.  The  Z  approach  offers  some  convenience  in  avoiding  the  use  of 
type  coercions,  but  providing  a  separate  implementation  of  arithmetic  would  be  prohibitively  expensive. 
Fortunately,  the  majority  of  HOL’s  development  of  arithmetic  is  type  generic  in  nature  and  we  arc  readily 
able  to  introduce  the  arithos  type,  while  retaining  the  extensive  HOL  development.  Currently,  this  type 
is  instantiated  to  the  reals,  but  a  larger  arithmetic  domain  could  readily  be  adopted. 

Most  of  this  machinery  of  HOL  is  familar  to  the  Z  practioner,  but  some  of  the  syntactic  sugar  is  not  and  is 
likely  to  be  annoying.  For  example,  the  standard  binder  separator  is  the  weak  and  easily  missed  fullstop 
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character,  eg.  (%  x.  fx)  rather  than  (k  x  •  f  x ).  In  order  to  improve  readibility  for  the  Z  practioner,  we 
introduce  an  Isabelle  print  mode  zed  with  associated  Z-ified  syntactic  operators  that  support  the  basic 
syntax  of  Z. 

Presenting  the  definition  of  this  zed  syntax  to  the  reader  familial-  with  Z  presents  something  of  a  difficulty. 
The  Isabelle  mechanisms  for  decribing  syntax  are  very  powerful,  but  not  really  very  accessible,  even  for 
the  Isabelle  specialist.  Besides,  while  it  is  easy  to  quote  the  text  of  theorems  in  general  and  definitions 
in  particular,  the  Isabelle  tool  doesn’t  offer  any  satisfactory  mechanism  for  automatically  quoting  the 
text  of  a  constant  or  syntax  declarations.  Given  that  we  are  forced  to  some  form  of  paraphrase  of  the 
declarations,  we  adopt  a  convention  of  presenting  them  in  the  form  of  term  definitions.  Such  mock 
declarations  are  at  least  easily  comprehended,  if  not  entirely  satisfactory  in  the  formal  sense. 

The  syntax  and  constants  required  to  support  the  basic  Z  expression  language  are  presented  in  the  fol¬ 
lowing  sections  in  this  fashion. 
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2.2  Predicates 


This  section  contains  descriptions  of  the  basic  predicate  operators: 


=,  e 

true,  false 
-i.  A,  V,  =>,  O 
V ,  3 , 3  i 


Equality,  set  membership  (p.  6) 
Boolean  values  (p.  7) 
Propositional  connectives  (p.  8) 
Quantifiers  (p.  9) 
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Name 

=  -  Equality 

€  -  Set  membership 


Definition 

x  -  y  ==  x  =  y 
x  e  X  ==  x  :  X 


Description 

Equality  and  set  membership  are  boolean-valued  binary  operators  and  form  part  of  the  HOL  term  algebra. 


Laws 


X  =  X 

(re  11) 

x  =  y  =>  y  =  x 

(Z_sym) 

x  -  y  A  y  =  z  =>  x  =  z 

( ZJrans ) 

S  =  To(Vx*xeSoxeT) 

(. Z_seq_eq_def ) 

x  -  y  o  (V  StxeSoyeS) 

(Z_mcmbc  incongruence) 
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Name 

true  -  Truth 
false  -  Falsity 


Definition 

true  ==  True 
false  ==  False 


Description 

The  predicates  true,  false  are  equated  to  the  corresponding  boolean  operators. 

Laws 

(False  not  True) 
( Z_bool_cases ) 
(. Z.FalseE ) 
c Z_TrueI ) 


false  +  true 

((P  o  true)  =>  R)  A  ((P  o  false)  =>  R)  =»  R 
false  =>  P 
P  =>  true 
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Name 

-i  -  Negation 
A  -  Conjunction 
V  -  Disjunction 
=>  -  Implication 

o  -  Equivalence 


Definition 

A  ==  ~  A 
A  A  B  ==  A  &  B 
A  V  B==A\B 
A^>B==A  — >B 
A  B  ==  A  =  B 


Description 

The  Z  predicate  connectives  are  equated  to  the  corresponding  HOL  operators. 


Laws 


(P  =>  false)  =>  P  ( Z_notI ) 

P  =>  Q  =>  P  A  Q  (Z  conjl) 

(P  =>  p  v  Q)  A  (Q  =>  P  V  Q)  (Z.disjl) 

(P  =>  Q)  a  (Q  =>  P)  =>  (P  o  Q)  (Z  iff!) 
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Name 

V  -  Universal  quantifier 
3  -  Existential  quantifier 

3 1  -  Unique  quantifier 


Definition 

(V  x  |  Qx  •  Px)  ==  (!  x.  Qx  — >  Px) 
(3  x|Qx*Px)==(?x.  Qx&Px) 

(3  i  x  |  Qx  •  Px)  ==  (?!  x.  Qx  &  Px) 


Description 

We  model  the  boolean  quantifiers  as  higher-order  operators,  taking  a  boolean  valued  operator  and  return¬ 
ing  a  boolean  value.  This  is  a  significant  difference  from  the  Z  approach  of  schema-text  local  variables, 
but  gives  the  same  high  level  reasoning  rules  and  allows  full  utilisation  of  Isabelle’s  efficient  treatment 
of  bound  variables. 


Laws 


(V  x  •  Px)  »  -i  (3  x  •  -i  Px) 

( alLconv ) 

(3  x  •  Px)  o  -i  (V  x  •  -i  Px) 

(ex.conv) 

(V  x  •  x  =  v  =>Px)oPv 

( one_point_all ) 

(3  x*x  =  vAPx)oPv 

(one. point. ex) 

(3  i  x  •  P  x)  o  (3  x  •  P  x  A  (V  y  •  Py  =>  y  =  x)) 

(. Z.exl.def ) 
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2.3  Expressions 

This  section  contains  descriptions  of  the  basic  expression  operators: 

(...).!■■  •}  Tuple  and  set  extension  (p.  11) 

P,  x  Power  set  and  cartesian  product  (p.  12) 

{  |  •  }  Set  comprehension  (p.  13) 

X,  u  Lambda-expression  and  unique  choice  (p.  14) 

let  Let-expression  (p.  15) 

(Graph)  Function  application  (p.  16) 
if  then  Condition  expression  (p.  17) 
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Name 

(...)  -  Tuple 

{...}  -  Set  extension 

Notation 

We  write  (xo,  xj,  . . .,  x„)  for  the  tuple  Pair  xq  (x\, ...  xn ). 
We  write  {xo,  xi,  . . .,  x„j  for  the  set  insert  xo  {xi,  . . .  xn). 


Description 

Tuple  and  set  extension  arc  syntactic  sugar  for  the  Isabelle/HOL  Pair  and  insert  operators  respectively. 


Laws 

(Pair  eq) 
( insertJff ) 


(a,  b)  =  (a b  0  o  a  =  a '  A  b  =  b ' 
ae  {b}UAoa  =  bvaeA 


11 


DSTO-TR-2272 


Name 

P  -  Power  set 
x  -  Cartesian  product 


Definition 


P  X  ==  Pow  X 
X  x  Y  ==  X  <*>  X 


Description 

Power  set  and  cross  product  arc  modelled  in  Isabelle/HOL  as  set  operators. 


Laws 

XxY  =  (xyUeXAyeY.(x,y)| 


(Z  prod  dcf) 
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Name 


{  |  •  }  -  Set  comprehension 


Definition 

{  x  I  Px  •  tx}  ==  {  tx  |  x.Px) 


Description 

Set  comprehension  is  modelled  in  Isabelle/HOL  as  a  function  from  boolean  operators  to  sets.  This  pro¬ 
vides  the  essential  properties  of  the  Z  set  comprehension,  though  as  usual  the  bound  variable  modelling 
differs. 


Laws 

ye{x|Qx*tx}o(3  x»QxAy  =  tx) 


(. Z_coll_mem ) 
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Name 

X 

Lambda-expression 

p 

Unique  choice 

Definition 

(k  x  |  Q  x  •  t  x)  ==  {  x  |  Q  x  •  (x  i-»  t  x)  } 

(p  x  |  Q  x  •  t  x  )  The  (%  y.  y  :  {  t  x  \  x.  Q  x  }) 


Description 

The  (graph)  lambda-expression  is  not  modelled  in  Isabelle/HOL.  We  define  it  as  a  graph-valued  operator 
with  two  arguments,  the  domain  term  and  the  result  term. 

The  unique  choice  operator  is  modelled  in  Isabelle/HOL. 


Laws 

(u\->v)e(kx\bx*tx)dbuAv  =  tu 
be  =>  (X  x  |  b  x  •  t  x)-e  =  t  e 
dom  (A,x|bx*tx)  =  {x|bx) 
ran  (X.x|bx*tx)  =  {x|bx*tx) 

Pa  =>  (V  x  •  P x  =>  x  =  a)  =>  (p  x  |  P x)  =  a 


(. Z_glambda_mem ) 
( Z_glambda_beta ) 
( glambda_dom ) 
( glambda_ran ) 
(Z  collect  the  equality) 


14 


DSTO-TR-2272 


Name 

let  -  Local  definition 


Definition 

let  x  =  t  •  f  x  end  ==  (%  x.  f  x)  t 


Description 

The  let  expression  is  modelled  in  Isabelle  as  an  operator  that  acts  on  a  term  and  a  function. 
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Name 


(Graph)  Function  application 


Definition 

f-x  ==  The  (%  y.  (x,  y)  €  f) 


Description 

(Graph)  Function  application  is  not  modelled  in  Isabelle/HOL.  We  define  it  as  an  operator  with  two 
arguments,  the  graph  and  the  argument. 


Laws 

(3 1  y  •  (x  h  y)  e  f)  =>  (x  i-»  f-x)  e  f 
(x  i -*  y)  €  f  =>  f-x  =  y 
x  €  dom  f  =>  (x  i -*  f-x)  €  f 
x  €  dom  f  =>((xi->y)6f«y  =  f-x) 


(. Z .single  _val_appl ) 
{ZjpfunJseta) 
(. Z_pfun_appl ) 
(Zjp fun.unique) 
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Name 

if  then  -  Conditional  expression 


Definition 

if  b  then  u  else  v  fi  ==  if  b  then  u  else  v 


Description 

The  condition  expression  is  defined  in  Isabelle/HOL  as  a  three-place  operator. 


Laws 

P  =>  if  P  then  E  i  else  E2  fi  =  E 1 
1  P  =>  if  P  then  Ei  else  Ej  fi  =  E2 
if  P  then  E  else  E  fi  =  E 


( Z  trueJf ) 
(. ZJalseJf ) 
(ZJdemJf) 
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Chapter  3 

The  Z  Mathematical  Toolkit 

3.1  Modelling  issues  in  Isabelle/HOL 

The  primary  issue  in  modelling  the  Z  Mathematical  Toolkit  in  Isabelle/HOL  lies  in  Z’s  use  of  sets  of 
pairs  to  model  all  functions.  HOL  provides  a  built-in  type  construction  of  total  functions  that  is  distinct 
from  the  graph  type.  For  the  purposes  of  clarity,  we  refer  to  these  HOL  functions  as  operators  and  Z 
functions  as  graphs. 

Clearly  the  graph  fills  such  a  central  role  in  Z  and  provides  such  a  flexible  mechanism  for  finite  data 
structures  that  any  implementation  of  the  Z  Toolkit  must  provide  full  first-class  support  for  graphs.  On  the 
other  hand,  for  many  algebraic  primitives,  the  operator  offers  significant  advantages,  reducing  syntactic 
baggage  and  eliminating  the  need  to  reason  about  definedness.  Besides,  rejecting  the  use  of  operators 
completely  would  deny  access  to  the  large  suite  of  modelling  tools  defined  in  HOL.  It  is  clear  that  the 
HiVe  user  will  be  best  suited  by  having  access  to  both  worlds. 

Having  decided  to  proceed  with  full  support  for  both  function  models  in  the  HiVe,  one  is  left  with 
the  tricky  decision  of  how  much  to  make  use  of  operators  in  supporting  the  Z  Toolkit.  A  totally  pure 
approach  of  not  allowing  operator  models  for  any  Z  constructs  would  be  expensive  and  brittle.  For 
example,  requiring  a  complete  re -implementation  of  arithmetic!  In  any  case,  the  use  of  graphs  to  model 
what  are  essentially  algebraic  operators  is  often  awkward  and  unsatisfying  in  the  Z  Standard  [2].  Our 
approach  has  been  to  use  the  operator  model  where  a  construct  is  basically  an  algebraic  operator  and  the 
graph  model  where  it  is  to  be  used  primarily  for  user-level  modelling. 

In  Z,  the  only  mechanism  for  genericity  is  the  given  type.  Again  this  is  often  awkward,  as  seen  in  the 
convention  of  leaving  out  generic  parameters  in  most  cases.  Generally,  HOL-style  type  generics  offer  a 
better  solution  to  type  abstraction.  Our  approach  is  to  use  type  generics  wherever  possible,  adopting  set 
generics  only  where  the  value  of  the  set  parameter  actually  changes  the  meaning  of  the  object.  Where 
we  use  set  generics,  we  model  it  as  a  set-valued  argument  to  the  constant. 

This  leads  nicely  to  discussion  of  another  fundamental  question.  Whether  to  introduce  Z  constructs  as 
HOL  constants  or  else  to  adopt  an  explicit  model  of  the  environment  in  the  semantics  presented  in  the  Z 
Standard  [2].  Thus  far  we  can  see  no  compelling  argument  for  pursuing  the  latter  option  and  a  number 
of  barriers,  such  as  developing  an  appropriate  data  type  for  modelling  such  an  environment.  All  the 
standard  elements  of  the  Z  Toolkit  are  introduced  as  constants  as  described  in  Section  1.2. 
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Finally,  as  discussed  in  Section  2.1,  we  note  that  FIOL  provides  implementations  of  all  the  basic  Z  type 
constructors,  sets,  cross  products,  numbers,  sequences,  and  bags. 

For  sets  and  cross  products,  we  see  no  fundamental  distinction  between  HOL  and  Z,  so  we  simply  adopt 
the  FIOL  model  for  Z. 

For  sequences  (called  lists  in  HOL)  and  bags  ( multisets  in  HOL)  the  differences  arc  of  a  fundamental 
nature.  In  particular-,  Z  sequences  and  bags  are  graphs  and  users  often  make  use  of  graph  operators 
in  dealing  with  them.  Consequently,  we  felt  it  imperative  to  provide  first-class  Z  implementations  of 
sequences  and  bags. 

In  the  case  of  numbers,  the  correct  path  was  not  so  clear  cut.  HOL  provides  distinct  types  of  naturals, 
integers  and  reals,  whereas  Z  provides  only  the  abstract  type  of  arithos,  with  naturals,  integers  and 
reals  (if  adopted)  as  subsets  of  arithos.  The  Z  approach  offers  some  convenience  in  avoiding  the  use 
type  coercions,  but  providing  a  separate  implementation  of  arithmetic  would  be  prohibitively  expensive. 
Fortunately,  the  majority  of  HOL’s  development  of  arithmetic  is  type  generic  in  nature  and  we  were 
readily  able  to  define  the  arithos  type,  while  retaining  the  extensive  HOL  development. 


20 


DSTO-TR-2272 


3.2  Sets 


Name 

+  -  Inequality 

g  -  Non-membership 


Definition 

( Z_neq_def ) 
( Z-nin-def ) 


^  *  y  =  -■  (x  =  y) 
x  £  S  =  -i  (x  e  S) 


Description 

The  negations  of  equality  and  set  membership  [5,  p  89]  [2,  p  95]  arc  already  defined  as 
syntactic  operators  in  HOL.  We  simply  make  use  of  these  existing,  type-generic  operators. 


Laws 


x  +  y  =>  y  +  x 


(. Z_neq_commute ) 
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Name 

0 

Empty  set 

n 

Universal  set 

c 

Subset  relation 

c 

Proper  subset  relation 

Pi 

Non-empty  subsets 

Definition 

0  =  {  x  |  false  } 
ll  =  {  x  |  true  } 

S  c  T  =  V  xueS  =>  x  €  T 
ScT=ScTaS*t 

PiX  =  {S|SePXAS^0} 


(. Z_empty_def ) 
(Z  UN IV  del') 
( Z_subseteq_def ) 
( Zsubset-def ) 
(. Z_Powl_def ) 


Description 

The  empty  set  and  subset  relations  [5,  p  90]  [2,  p  95]  arc  defined  as  operators  in  HOL.  We 
make  use  of  the  existing,  type-generic  operators,  with  appropriate  Z-style  syntax. 

The  non-empty  power  set  [5,  p  90]  [2,  p  96]  we  define  as  an  operator  on  sets. 


Laws 


X  g  0 

ScToSePT 
ScS 
-  (S  c  S) 

ScTaTcSoS=T 
n  (S  c  I  a  T  c  S) 
SCTATC  V  =>  S  c  V 
ScTATc  V  =>  S  c  V 
0  c  S 

0cSoSi0 
PjX  =  0oX  =  0 
X*0oXePiX 


(Z  no  tin  amply) 
( Z_subset_Pow ) 
(Z  subset  rail) 
(Z_psubset_not_refl) 
( Zsubset-antisym ) 
(. Z_psubset_chained ) 
(. Zsubset-trans ) 
( Z_psubsetJrans ) 
( Z_empty_subset ) 
( Z_empty_psubset ) 
(Z_Pow  1  _empty) 
(. Zjnempty^Powl ) 
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Name 

U  -  Set  union 
D  -  Set  intersection 
\  -  Set  difference 


Definition 

(. ZJnter_def ) 
(Z  union  del') 
(. Z_set_diff_def ) 


SnT={x\xeS  AxeT] 
SuT={x|xeSVxeT} 
S\T  =  {x|xeSAx£T] 


Description 

Set  union,  intersection,  and  difference  [5,  p  91  ] [2,  p  97]  arc  already  defined  in  HOL.  We 
make  use  of  the  existing,  type-generic  operators,  with  appropriate  Z-style  syntax.  The  sym¬ 
metric  set  difference  operator  [2,  p  97]  is  not  already  defined  in  HOL.  We  define  it  as  a 
binary  set  operator. 


Laws 


SuS=SU0=SnS=S\0=S 

(Z  union  inter  dill'  idem) 

Sn0=S\S=0\S=0 

{. ZJnter_diff_empty ) 

S U  T= TU  S 

( Z.union.comm ) 

S  n  T  =  T  n  S 

(. Z_inter_comm ) 

SU(TUV)  =  SUfUV 

( Z-union-assoc ) 

Sn(TnV)  =  SnTnv 

(ZJnter_assoc) 

S  u  T  n  v  -  (S  u  T)  n  (S  u  V) 

(. Z_union_dist ) 

Sn(TuV)  =  SnruSnv 

(Z  inter  dist) 

S  n  T  U  (S  \  T)  =  S 

( Z.partition ) 

SU(T\V)  =  SUT\(V\S) 

(Z  union  dill') 

(S\T)DT  =  0 

( Z_diff_disjoint ) 

SD(T\V)  =  SnT\V 

(Z  inter  diff) 

s  \  (T  \  V)  =  (S  \  T)  u  s  n  V 

(. Z.diff.diffl ) 

SUT\V  =  (S\V)U(T\V) 

(. Z-diff-union ) 

S\T\V  =  S\T U  V 

(Z_di  !Ldi  112) 

S\Tnv  =  (S\f)u(S\V) 

{Z-diff .inter) 
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Name 

U  -  Generalised  union 

H  -  Generalised  intersection 

Definition 

(Z  Union  del') 
(. Z .Inter _def ) 


(J  A  =  {x  |  3  S*SeAAxeS] 
HA  =  {x|  V  S.SeA  =>  x  e  S  } 


Description 

Generalised  union  and  intersection  [5,  p  92]  [2,  p  97]  arc  defined  as  operators  in  HOL.  We 
make  use  of  the  existing,  type-generic  operators,  with  appropriate  Z-style  syntax.  We  also 
allow  the  dropping  of  the  set  brackets  when  applied  to  set  comprehensions,  i.e.  (|J  x  |  Q  x 
•  t  x)  and  (P|  x  |  Q  x  •  t  x). 


Laws 


U(AUB)  =  UAUUB 

(Z  Union  union  dist) 

ri(A  UB)  =  HA  nf]B 

( ZJnter_union_dist ) 

U  0  =  0 

(Z_  Union  empty) 

n  0  =  u 

( Z_Inter_empty ) 

s  n  U  A  =  (U  T\TeA»SnT) 

( Z Anter JJnion_dist ) 

(JA\S  =  (U  T|TeA*T\S) 

(. Z_Union_diff_dist ) 

S  \  D  A  =  (U  T|TeA*S\T) 

( Z-diffJnter-dist ) 

A  *  0  ^  fl  A  \  S  =  (H  T|TeA*T\S) 

(. ZJnter_diff_dist ) 

AcB  ^UA£Ub 

(Z_  Union_mono )) 

AcB ^nB£HA 

( ZAnter -antimono ) 
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Name 

fst,  snd  -  Projection  functions  for  ordered  pairs 


Definition 

(Z  fst  del') 
( Z_snd_def ) 


fst  (x,  y)  =  x 
snd  (x,  y)  =  y 


Description 

The  first  and  second  operators  [5,  p  93]  [2,  p  98]  are  defined  in  HOL.  These  are  not  strictly 
compatible  with  those  defined  in  the  Z  Standard,  since  the  Z  operators  act  on  bindings  rather 
than  tuples,  which  are  subsumed  by  the  binding  structure  in  Z.  Nevertheless  we  find  it  con¬ 
venient  to  make  use  of  the  HOL  operators.  As  noted  elsewhere,  bindings  are  a  difficult 
structure  to  model  in  HOL. 


Laws 


(fst  p,  snd  p)  =  p 


( Z_tuple_cong ) 
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Order  properties  of  set  operations 

ScSu  T 
TcSuT 

S  c  W  AT  c  W  =>  SU  T  c  W 
SeA^ScyA 

(V  S  •  S  e  A  =>  S  c  W)  ^  U  A  £  W 

SflTcS 

snrcr 

W  c  S  A  W  c  T  =>  WcSnT 
SeA  ^flAcS 

(VS.SeA  ^WcS)  =>  ff  £  P|  A 
S\TcS 

W  cS  AW  DT  =  0  => WcS\T 


( union_ubl ) 
( union.ub2 ) 
( unionJeast ) 
( Union.ub ) 
( UnionJeast ) 
(inter Jbl) 
(inter _lb2) 
(inter. greatest) 
(ZJnterJb) 
(Z. Inter. greatest) 
( difflb ) 
(diff .greatest) 
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3.3  Relations 


Name 

<->  -  Binary  relation  graphs 

i-»  -  Maplet 


Definition 

X  «-»  Y  =  P  (X  x  Y)  ( reLdef ) 

x  i-»  y  =  (x,  y)  ( Zjnaplet-def ) 


Description 

Isabelle/HOL  allows  us  to  adopt  the  usual  Z  model  of  relations  as  sets  of  pairs.  We  call  this 
model  the  graph  approach.  Another  approach  would  be  to  model  relations  as  binary  boolean¬ 
valued  operators.  Isabelle/HOL  makes  use  of  both  models  in  its  development,  making  it 
necessary  to  convert  between  the  two  at  times.  We  write  op  r  for  the  operator  generated  by 
the  graph  r  and  grf  s  for  the  graph  generated  by  the  operator  s. 

Following  Spivey  [5] ,  we  adopt  syntax  for  infix  relation  application  (for  example  writing  a 
R  b  for  (a  h  5)  e  R )  and  relational  chaining  (for  example  writing  a,  b  e  X  c  Y  for  a  e  X 
A  b  €  X  A  X  c  Y). 

HOL  provides  a  built-in  model  for  functions  (value  abstractions),  embodied  by  the  type 
constructor  fun  and  the  /1-constructor.  In  the  following  we  refer  to  this  model  as  the  operator 
model  of  functions. 

The  single-valued  graphs  provide  a  convenient  (and  widely  used)  mathematical  model  of 
functions.  This  is  especially  so  when  partial  or  finite  functions  are  of  particular  interest,  as 
is  often  the  case  in  program  specification.  A  graph  is  a  set  of  pairs  describing  the  relationship 
between  function  argument  and  function  result. 
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Name 

dom  -  Domain 
ran  -  Range 


Definition 

(Z_dom_def) 
( Z_ran_def ) 

Description 

Domain  and  range  operators  [5,  p  96]  [2,  p  98]  arc  already  defined. 


dom  R  =  {xy|xRy*x) 
ran  R  =  {xy|xRy*y) 


Laws 


x  e  dom  r  <=>  (3  y  •  y  e  Y  A  x  r  y) 

(. Z_in_domD ) 

y  €  ran  r  o  (3  x  •  x  e  X  A  x  r  y) 

(Z  in  ranD) 

dom  {(x,  y)}  U  R  =  {x}  U  dom  R 

( Z_relJnsert_dom ) 

ran  {(x,  y)}  U  R  =  {yj  U  ran  R 

(Z  re]  insert  ran ) 

dom  ( R  i  U  Ri)  =  dom  R \  U  dom  Ri 

( Z_rel_union_dom ) 

ran  (R i  U  J?i)  =  ran  R  \  U  ran  R2 

(Z  re/  union  ran) 

dom  (R 1  n  R2)  Q  dom  R 1  n  dom  R2 

( Z_rel_in  ter_dom ) 

ran  (R 1  n  R2)  £  ran  R 1  n  ran  R2 

(Z_re7  Jnter_ran ) 

dom  0  =  0 

(. Z_rel_empty_dom ) 

ran  0  =  0 

( Z_rel -empty -ran ) 
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Name 

id  -  Identity  relation 

5  -  Relational  composition 

o  -  Backward  relational  composition 


Definition 

id  X  =  {  x  |  x  £  X  •  (x,  x)  }  (relJd-def) 

RoQ  =  {xyz\xQyAyRz»xh->z}  (Z_comp_def) 

Q  °  R  =  R  o  Q  ( Z_fcomp_def ) 


Description 

Relational  identity  [5,  p  97][2,  p  98]  and  (backward)  composition  [5,  p  97] [2,  p  99]  arc 
already  defined  in  HOL.  We  introduce  forward  composition  [5,  p  97]  [2,  p  99]  by  identifying 
it  with  backward  composition,  but  with  the  arguments  reversed. 


Laws 


(xH->x')eidXox  =  x'€X 

(x  w  z)  e  P  §  Q  »  (3  y  •  x  Py  A  y  Q  z ) 

(xhz)6?oQo(3  y»xQy  Ay  P_z) 

(P  °Q)°R=P  °9Q°,R 

id  (dom  P)  °9  P  =  P 

P  5  id  (ran  P)  -  P 

id  V°idW  =  id(Vn  W) 


(. Z_rel_id_mem ) 
( Z_rcLfcomp_mcm ) 
(Z  rel  comp  mem ) 
( Z_rel_fcomp_assoc ) 
(. ZA-elJident ') 
( Z_rel_iident ') 
( Z-rel-id-fcomp ) 
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Name 

<  -  Domain  restriction 

>  -  Range  restriction 


Definition 

(Z  drcs  del') 
(. Z_nes_def ) 


S<R  =  {xy|xeSAxRy*XM>y} 
_R>T  =  {xy|yeTAxRy*xh-»y} 


Description 

Domain  and  range  restrictions  [5,  p  98]  [2,  p  99]  arc  not  defined  in  HOL.  In  the  Z  standard, 
they  arc  defined  in  a  set  generic  manner,  but  they  do  not  vary  in  value  according  to  the  carrier 
set,  so  we  define  them  in  a  type  generic  manner. 


Laws 


S<R=  id  S°gR  =  SxYnR 

( Z_dresJd_inter ) 

R>T  =  R°9  id  T  =  RC)XxT 

(Z  ires  id  inter) 

dom  (U  <i  R)  -  U  n  dom  R 

( Z_dres_dom ) 

ran  (R  >  T)  -  ran  R  n  T 

(Z  ires  run) 

S  <  R  Q  R 

( Z_dres_sub_self ) 

R  >  TCR 

(Zjnres  sub  .self) 

U<R>V=U<(R>V) 

(Z_dr_res_assoc) 

U<V<R  =  (UC\V)<R 

( Z-dres.dist ) 

R>U>V  =  R>(UDV) 

(. Zjres_dist ) 
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Name 

<  -  Domain  anti-restriction 
>  -  Range  anti-restriction 

Definition 

S<aR  =  {xy|x£SAxRy*xi-»y}  (Z_dsub_def) 

Rt>T  =  {xy\y£TAxRy»xi-*y}  ( Z_rsub_def ) 

Description 

As  above,  domain  and  range  antirestrictions  [5,  p  99][2,  p  99,100]  arc  not  a  standard  paid 
of  HOL.  In  the  Z  standard,  they  arc  defined  in  a  set  generic  manner,  but  they  do  not  vary  in 
value  according  to  the  carrier  set,  so  we  define  them  in  a  type  generic  manner. 


Laws 


U<R-(U\U)<R 

( Z_dsubJd_char ) 

R  >  V  =  R  >  (U  \  V) 

( Z_rsubJd_char ) 

U  <RUU  <R=R 

( Z_dpart_rel ) 

R>TL)R>T  =  R 

(Z  rpiirt  rcl) 
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Name 


Relational  inverse 


Definition 

R~  =  {xy|xRy*yi->x} 


( ZJnverse.def ) 


Description 

The  relational  inverse  [5,  p  100] [2,  p  100]  is  already  defined  in  HOL. 


Laws 


(x  i-»  y)  e  R~  o  (y  i-»  x)  e  R 

(r~t  =  r 

(R  o  S)~  =  S~  oR~ 

(id  X)~  =  id  X 
dom  (R~)  =  ran  R 
ran  (R~)  =  dom  R 
id  (dom  R)  c  R  °  R~ 
id  (ran  R)  c  R~  “  R 


(ZJnverse_mem ) 
( ZJnverseJdem ) 
(. ZJnversej'eLcomp ) 
( ZJnverseJd ) 
{ ZJnverse_dom ) 
(Z  inverse  ran) 
( Z Jnverse  Jgalois ) 
(Z  inverse  rgnlois) 
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Name 


4  _  D  -  Relational  image 


Definition 

RdSD  =  {xy|xeSAxRy*y} 


(. ZJmage.def ) 


Description 

Again  relational  image  [5,  p  101][2,  p  100]  is  a  standard  paid  of  HOL. 


Laws 


y  €  Rm  o(3  x»xeUAxRy) 
RdUD  =  ran  (U  <  R) 
dom  (S  ^  R)  =  (S~)ddom  R[) 
ran  (S  °9  R)  =  Rdran  SD 
Rdf/U  VD  =  R^U)  U  Rd VD 

Rdl/n  VDcRdl/DnRdVD 
R  ddom  R  D  =  ran  R 
dom  R  =  fstdRD 
ran  R  =  snddR  D 


(. ZJmage.diff ) 
(Z  Imugc  dres) 
( Z_invJmage_dom_rel ) 
(Z  Imugc  run  rel ) 
( ZJmage_union ) 
(Z  Image  inter) 
( Z_Image_dom ) 
(Z  dom  image) 
(. Z_ranJmage ) 
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Name 


©  -  Overriding 


Definition 

Q  ©  R  =  dom  R  <  Q  U  R 


(. Z_reLoride_def ) 


Description 

Relational  overriding  [5,  p  102] [2,  p  100]  is  not  a  standard  paid  of  HOL.  As  its  value  does 
not  vary  with  carrier  set,  we  make  a  type  generic  definition. 


Laws 


R  ©  R  -R 

(Z  rel  oride  idem ) 

(P  ©  Q)  ©  R  =  P  ©  Q  ©  R 

( Z_rel_oride_assoc ) 

0©R=R©0=R 

(Z  rel  oride  id) 

dom  (Q  ©  R)  -  dom  Q  U  dom  R 

(. Z_rel_oride_dom_dist ) 

Q  ©  R  =  Q  U  R 

(Z  re/  oride  disj) 

V  <  (Q  ©  R)  =  V<Q©  V<R 

( Z_dres_reLoride_dist ) 

(Q©R)>  VcQ>  V©R>  V 

(Zjres-reLoride_dist) 

If  f  and  g  are  functions 

(g  ©  f)-x  =  g-x 

(Z_rcLoridc_bcln2 ) 

(, g  ©  f)-x  =  f-x 

( Z_rel_oride_beta  1 ) 
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Name 

_+  -  Transitive  closure 

_*  -  Reflexive-transitive  closure 


Definition 

R+  =  (H  QIQeXoXAlicQAQ^QcQ)  ( Ztrancldef ) 

R*  =  (f|  QIQeXoXAidXcQAJicQAQ^QcQ)  ( Z_zrtrancLdef ) 

Description 

The  reflexive  and  transitive  closure  operators  [5,  p  103] [2,  p  100,101]  are  treated  in  the 
standard  HOL  distribution,  but  unfortunately  do  not  accomodate  the  notion  of  carrier  set  for 
the  relation  as  expected  by  Z. 


Laws 


RCR  + 

R+  g  R+  c  R  + 

QeXoXAQ;QcQARcQ  =>  R+  CQ 
idXc  R* 

RCR* 

R*  ?  R*  c  R* 

idXcQARcQAQ°QcQ  =>  R*  c  Q 
R*  =R+  UidX  =  (R  Uid  X)+ 

R+  =R  °R*  =R*  °R 
(R+)+  =R  + 

(R*)*  -  R* 

X  c  (R*) ^X) 

Rd(R*)dXDD  c  (R*)flXD 
U  c  V  a  RdVD  c  V  =>  (R*)dl/D  c  V 


( ZJranclJnc ) 
(Z  Hand  fcomp  dist) 
(. ZJrancLsubI ) 
(Z  zrtrand  id) 
( Z_zrtranclJnc ) 
( ZjzrtnincIJ'com  p_dis  t ) 
( Z_zrtrancLs  ubl ) 
(. ZjzrtrancLdecomp ) 
( ZJrancLdecomp ) 
(ZJranclJdem) 
(Z  zrtrand  idem ) 
(. Zjzrtranddmage ) 
(Z  re/  zrtrand  Image) 
( Z_rel_ztrancLmono ) 
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Monotonic  Operations 

HOL  provides  a  basic  monotonicity  definition,  and  we  expand  upon  it  to  provide  the  following  lemmas. 


feMo(VST*ScT^fScfT) 
f  e  M  A  rev-args  f  eMo 
(V  STUV»ScTAUcV^fSUcfTV) 
f  6  M  o  (V  ST  •f(SnT)cfSr)fT) 
f  e  M  o  (V  S  T  •  f  S  U  f  T  c  f  (S  u  T)) 
f  €  Alu  A  rev_args  f  e  Atu  <=> 

(V  S  T  UV  • 

f(SuT)V  =  fSVUfTVA 

fS  (17  U  V)  =  fSl/UfSV) 
U<(RuS)=U<RuU<iS 
ScT  ^>T  <RcS  <R 
S  =  (fl  T  \  fT  QT) 
fS  =  S 

V  T  •  f  T  Q  T  =^>  S  QT 


(. mono.set.def ) 

(mono2.prod.set.def) 

(. mono.set.inf ) 
(. mono.set.sup ) 


(sup.morphic2.set.def) 


(dsub.union.distl) 
(dsub.mono) 
(lfp.set.def) 
(lfp. set. fold) 
(lfp_set_induct) 
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3.4  Functions 


Name 

-+»  -  Partial  functions 

— >  -  Total  functions 

>■+■>  -  Partial  injections 

>->  -  Total  injections 

-ho  -  Partial  surjections 

-»  -  Total  surjections 

>-»  -  Bijections 


Definition 


X 

Y  = 

{  f 

|  feXo 

Y  A  (V  x  •  x  e  dom  f  =>  (J  |  y  •  (x  h  y)  e  1'))  |  {Z.partJuns.def) 

X 

-> 

Y  = 

If 

|f  eX-o 

Y  A  dom  f  =  X  } 

( total_funs_def ) 

X 

Y  = 

If 

|  feX-n 

Y  A  f  ~  e  Y  X  } 

{partJnjs_def) 

X 

>— > 

Y  = 

X  : 

«fnx 

Y 

(total  injs  dcf) 

X 

Y  = 

{  f 

|feX-B 

Y  A  ran  f  =  Y  } 

( part_surjs_def ) 

X 

-» 

Y  = 

x-^Ynx- 

Y 

(total  surjs  dcf) 

X 

>-» 

Y  = 

X 

HfnX 

-»  y 

( bijs_def ) 

Description 

HOL  provides  a  built-in  model  for  functions  (value  abstractions),  embodied  by  the  type 
constructor  fun  and  the  /1-constructor.  In  the  following  we  refer  to  this  model  as  the  operator 
model  of  functions. 

The  single-valued  graphs  provide  a  convenient  (and  widely  used)  mathematical  model  of 
functions.  This  is  especially  so  when  partial  or  finite  functions  arc  of  particular-  interest,  as 
is  often  the  case  in  program  specification. 

In  the  following  we  develop  a  graph  model  of  functions,  based  on  the  Z  mathematical  toolkit 
as  described  by  Spivey  [5,  p  107][2,  p  101,102]. 

Laws 


feX+>Yof~5f  =  id  (ran  f) 

(. Z_pfunJeftJnv ) 

feX>+>YofeX-+->YAfeY-+>X 

(Z_pinjJ_finv) 

feX~YofeX-+YAf~eY-+>X 

( Z_tinj_f_Bnv ) 

YdSD  n  f(T D  =  f(S  n  T) 

(. Z  tinjJmage  inter ) 

feXH»Y«feX-rYAf  eY«X 

(. Z_bij_tfunJnv_tinj ) 

3 

II 

V, 

o  o 

<+-H 

( Z_psurjJeftJnv ) 
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Relational  operations  on  functions 

Identity  relation  is  a  function 


id  SeX«X 
id  X  €  X  >-»  X 

feX+)  YAgeY+>Z  =tgof  eX+>Z 

feX— >  YAge  Y-bZa  ran  f  c  dom  g  =>gofeX—>Z 

feX-B  y  =>s<f  eX-B  y 

f  eX-+>  Y  =>f  >  TeX-B  Y 

feX-+>YAgeX-BY^>f®geX-+BY 


C ZAdjpinj ) 
(Z-id-bij) 
(Z  comp  in  pfunl) 
(. Z_compJn_tfunI ) 
( Z_dresJn_pfunI ) 
( Z_nesJn_pfunI ) 
( Z_reLorideJn_pfunI ) 


Composition  and  restrictions  of  injections: 

( Z-CompJn-pinjI ) 
( Z_dres_in_pinjl ) 
( ZjresJn.pinjI ) 
( Z_pinj_inv_pinj ) 


gofeXmZ 

feXm  Y  ^ScfeXw  Y 
feXm  Y  =>f  >  T€Xhb  Y 
feXm  Y  =>  f  ~  e  Y  m->  X 


Set  theoretic  operations 


feX-B  Ya^gX-b  YA  dom  f  n  dom  g  =  0  UgeX-B  Y  ( Z_unionJn_pfun ) 
feX+>  Ya^eX-b  Y  ngeX-B  Y  ( ZJnter_in_pfun ) 

feXwYAgeXw  Y  =>fngeX>-H>Y  (Z  inter  in  pinj) 


Special  cases 


feX-B  YAgcf  ^geX-B  Y 
feXmYAgcf^geXmY 


( ZsubsetJn-pfun ) 
(Z_subset_in_pinj) 
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3.5  Numbers  and  finiteness 


Name 


A 

N 

Z 

+,  *,  div,  mod 


<,  <,  >,  > 


Numbers 
Natural  numbers 
Integers 

Arithmetic  operations 
Numerical  comparison 


Definition 

( Z_zNats_def ) 
(Z  zlnts  dcf  ) 

Other  definitions  not  included  for  brevity. 


N  =  (H  N  |  0  €  N  A  (V  x  •  x  e  N  =>  x  +  I  e  N)) 
Z={z|zgAa(3  x*x€Na(z  =  xVz  =  -x))} 


Description 

The  number  domain  [5.  p  108] [2,  p  103]  for  Z  is  an  abstract  set  A,  pronounced  “arithmos”. 
The  basic  requirements  for  arithmos  is  that  it  must  admit  an  injective,  homomorphic  embed¬ 
ding  of  the  integers.  Isabelle  declares  homomorphic  embeddings  of  the  naturals  and  integers, 
but  does  not  require  they  be  injective.  We  declare  strengthenings  of  these  embeddings  and 
lift  natural  number  and  integer  lemmas  to  these  embeddings.  We  omit  some  definitions  of 
the  above  operators  for  brevity. 


Laws 

<  Ob  =>  <  0  (a  mod  b)  A  <  (a  mod  b )  b 
b  +  0  =>  a  =  b  *  (a  div  b)  +  a  mod  b 
b  +  0  A  c  +  0  =>c*a  div  (c  *  b)  =  a  div  b 


( Z_mod_bounds ) 
(Z  div  mod  reconstr) 
( Z_div_mod_reduce ) 
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Name 

Ni  -  Strictly  positive  integers 
succ  -  Successor  function 
(a . .  b )  -  N umber  range 


Definition 

(. zNatsl_def ) 
(Z  zsucc  dcf) 
(. Z_zin  t_range_def ) 


Ni  =N  \  {0} 

succ  =  (k  n  \  n  eN  •  n  +  1) 
a..b  =  {k\keZAa<k<b] 


Description 

The  non-zero  integers  [5,  p  109] [2,  p  105]  are  not  defined  in  HOL.  We  introduce  them  as  a 
subset  of  arithmos. 

The  successor  [5,  p  109] [2,  p  103]  is  defined  as  an  the  operator  in  HOL,  but  there  is  a  strong 
assumption  in  Z  that  the  successor  is  a  graph.  Hence  we  introduce  a  graph-style  successor. 

Numeric  ranges  [5,  p  109] [2,  p  106]  are  defined  in  HOL,  but  we  find  it  more  convenient  to 
introduce  a  Z  specific  range. 


Laws 


succ  e  N  >-»  Mi 

(zsucc  bij) 

V  n  •  n  e  N  =>  succ-n  =  n  +  1 

( Z_zsucc_beta ) 

<  in  n  =>  n..m  =  0 

(Z  zint  range  empty) 

a. .a  =  {a} 

(. zin  tsange  .singleton ) 

ni. .mi  £  ni..ni2 

(zint  range  mono) 
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Name 

R"jXj  -  Iteration 


Definition 

(Z  ziter  zero  def) 
( Z_zi  ter J  ter_def) 
(Z  ziter  minus  k  dcf) 


R°  =  id  X 

R"  +  1  =  R  °9  Rn 
R~  k  =  (. R~)k 


Description 

HOL  already  defines  a  relational  iteration  operator  [5,  p  110] [2,  p  106],  but,  as  per  the 
transitive  closure  operator,  it  does  not  take  account  of  a  carrier  set  as  the  Z  operator  does  nor 
is  it  defined  over  the  full  integer  space.  Thus  we  are  forced  to  redefine  a  Z  compliant  version 
of  iteration. 


Laws 


R°  =  id  X 
R1  =R 
R2  =  R  °9R 
R-1  =R~ 

R"  +  1  =R°9  Rn 

R"  +  l  =  Rn  o  R 

(R~)n  =  (Rn)~ 

j^n  +  m  —  j^n  o 
gn  *  m  _  (Rny*1 

R+  =  (U  k  |  <  (l::/3)  k  A  k  e  Z  •  Rk) 
R*  =  ((j  k  |  <  (0::J3)  k  A  k  e  Z  •  Rk) 
R°9S  =  S°9R  =>  (R  ?  S)k  =  Rk  g  Sk 


( Z_ziter_zero ) 
(Z-ziter.one) 
( Z_ziter_two ) 
(. Z-zitei'-minus-one ) 
(. Z_ziterJter ) 
( Z_ziter_iter ') 
(Z  ziter  converse) 
( Z_ziter_add_dist ) 
( Z_ziter_mult_dist ) 
( Z_ziter_ztrancl ) 
(Z^ziter zrtrancl ) 
(. Z_fcomp_zi  ter ) 
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Name 

F 

Finite  sets 

Fi 

Non-empty  finite  sets 

#_ 

Number  of  members  of  a  set 

Definition 

FX  =  iS|SePXA(3n.neMA(3f.fe  (l..n)  >-»  S)) } 
Fj  X  =  F  X  \  {0} 

#S  =  (pn\neMA(3f»fe  ( L.n )  >-»  S)) 


(. Z_fin_pow_def ) 
(Z_fin_pow  1  _def) 
(. Z_zcard_def ) 


Description 

We  introduce  finite  subsets  and  finite  non-empty  subsets  [5,  p  111][2,  p  97]  as  set  operators. 
We  define  them  as  restrictions  of  the  existing  HOL  finite  set  operator. 


Laws 


SeFXofV  f  •  f  e  S  >->  S  =>  ran  f  =  S) 
0  e  FX 

V  Sx»SeFXAxeX  =>Su{x}eFX 
#(S  U  T)  =  #S  +  #T  -  #(S  n  T) 

FiX  =  {S|SeFXA<0  (#S)  } 


(Z_BniteJfF) 
( Z_empty_fin_pow ) 
( Z_fin_powJnsert ) 
( Z_zcard_union ) 
(ZJ\n_pow  l  _redef) 
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Name 

-in  -  Finite  partial  functions 
mb  -  Finite  partial  injections 


Definition 

X  +i  V  =  |  / j  f  e  X  +>  y  a  dom  f  e  F  X  }  (Z  finite  part  funs  def) 

X>»y  =  X*ynX>«y  (finite_partJnjs) 


Description 

Finite  functions  [5,  p  1 12] [2,  p  102]  arc  those  represented  by  a  finite  set  of  maplets. 


Laws 


x  +>  y  =  x  +>  YnF (X x  Y) 


( Z_finite_part_fun_fpow ) 
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Name 

min,  max  -  Minimum  and  maximum  of  a  set  of  numbers 


Definition 

min  =  {Sm|SePiZAmeZAmeSA(V  n  •  n  e  S  =>  <  m  n)  •  S  m  }  ( zmin_def ) 

max  =  {  S  m  |  S  e  Pi  Z  A  m  e  Z  A  m  e  S  A  (V  n  •  n  e  S  =>  m  >  n)  •  S  w  m  j  ( zmax.def ) 


Description 

The  minimum  and  maximum  [5,  p  1 13] [2,  p  107]  of  a  finite  set  are  defined  generally.  Such 
functions  are  defined  in  HOL,  but  we  introduce  graph-based  versions  in  support  of  Z. 


Laws 


Fi  Z  c  dom  min 

Fi  Z  c  dom  max 

P  N  n  dom  min  =  Pi  N 

P  N  n  dom  max  =  Fi  N 

min-(S  U  T)  =  min-jmin-S,  min-T] 

max-(S  U  T)  =  max-jmax-S,  max-T] 

min-(S  n  T)  >  min-S 

<  (max-(S  fi  T))  (max-S) 

<  a  b  =>  min-(a..b)  =  a  A  max-(a.-b)  -  b 
(a..b)  n  (c..d)  =  max-{a,  c}..min-{b,  d] 


(Z  fin  powl  dom  min ) 
(Z_fin_pow  1  _dom_max ) 
(Z_powjz;min_powl) 
( Z_pow_zmaxJpowl ) 
{Zjnin.union) 
( Z_max_union ) 
( ZjninJnter ) 
( Z_max_inter ) 
(Z_inin_max_zint_range) 
(Z  zin  t  range  in  ter  min _max ) 
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Proof  by  induction 

Arithmetic  induction  provides  a  method  for  proving  a  number  of  theorems  about  the  natural  numbers. 
zNatsJnduct: 


[n  e  N;  P  0;  /\  m  •  Dm  e  N;  Pm]]  h  P  (m  +  1)]  h  Pn 
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3.6  Sequences 


Name 


seq 

Finite  sequences 

seqi 

Non-empty  finite  sequences 

iseq 

Injective  sequences 

sinsert 

Sequence  insertion 

0 

Empty  sequence 

Definition 

seq X  =  (IJ  n  |  n  eN»  (I..n)  — »  X )  ( seq_def ) 

seqi  X  =  {  s  |  s  e  seq  X  A  <  0  ( #s )  }  ( seql_def ) 

iseq  X  =  seq  X  n  N  >+>  X  ( iseq_def ) 

sinsert  x  s  =  {(1,  x)}  ®  {  n  x  \  (n,  x)  e  s  •  (n  +  1,  x) }  ( sinsert-def ) 

0  =  0  (. sempty.def ) 


Notation 

We  write  (xq,  xi,  . . x„)  for  the  sequence  sinsert  xq  (xi,  . . .  x„). 


Description 

HOL  includes  an  extensive  theory  of  lists,  but  the  Z  notion  of  sequences  [5,  p  115] [2,  p 
107]  modelled  as  graphs  arc  not  paid  of  HOL.  We  develop  a  syntax  and  type  constructors 
for  graph-based  sequences;  building  upon  the  function  and  number  theories  discussed  previ¬ 
ously.  A  basic  sequence  is  a  finite  graph  defined  on  an  initial  interval  of  the  natural  numbers. 
A  non-empty  sequence  has  at  least  one  element  and  an  injective  sequence  has  no  repeated 
elements. 


Laws 


seqi  X  =  seq  X  \  {<  >} 


(seql  _ nonempty ) 
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Name 

Concatenation 
rev  -  Reverse 

Definition 

s~t  =  sU{n|ne  dom  t  •  n  +  #s  i-»  tn  }  (Z  sconcat  rcdcf) 

rev  s  =  (k  n  \  n  £  dom  s  •  s-(#s  -  n  +  1))  ( Z_srev_def ) 


Description 

Sequence  concatenation  [5,  p  116][2,  p  108]  adds  the  elements  of  one  sequence  at  the  end 
of  another. 

Sequence  reverse  [5.  p  116] [2,  p  108]  maintains  the  elements  of  its  argument,  listing  them 
in  the  reverse  order. 


Laws 


s~t~u  =  s  ( t  u) 

(ZsconcaLassoc) 

( >  ~  S  =  s 

(Z  sconcat  scmptyl ) 

S  ~  <  >  =  s 

( Z_sconcat_semptyr ) 

#(s  "  t)  =  #s  +  #t 

(Z  sconcat  /.card ) 

rev  <  >  =  <  > 

(. Zjsrevjsempty ) 

rev  (x)  =  (x) 

(Z  srev  sunit) 

rev  (s'' t)  -  rev  t  '  rev  s 

(Z_srev  _sconcat) 

rev  (rev  s)  =  s 

(Z  srcv  .srev) 
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Name 

head,  tail,  last,  front  -  Sequence  decomposition 


Definition 

(Z_shead_def) 
( Z_stail_def ) 
(Z  sfronl  del') 
( Z_slast_def ) 


head  s  =  s-1 

tail  s  =  (k  n  |  n  e  I..#s  -  1  •  s-(n  +  i)) 
front  s  -  ( l..#s  -  l)  <  s 
last  s  =  s-#s 


Description 

The  head,  tail,  front  and  last  operators  [5,  p  1 17] [2,  p  108,9]  are  defined  as  in  Spivey. 


Laws 


head  ( x )  =  last  { x >  -  x 
tail  ( x )  =  front  (x)  =  (  ) 

s  ±  (  )  =>  head  (s  ~  t)  =  head  s  A  tail  (s  "  t)  =  tail  s  ~  t 
t  +  ( )  =>  last  (s'' t)  -  last  t  A  /row/  (s  "  t)  =  s  "  /ronf  t 
s  #  ( )  =>  (head  s )  ~  tail  s  =  s 
s  +  ( )  =>  front  s  ~  (/a, st  s)  =  s 

s  +  ( )  =>  /rend  (rev  s)  =  /flit  s  A  to//  (rev  s)  =  rev  ( front  s ) 
s  +  ( )  =>  last  (rev  s)  =  /?<?fld  s  A  front  (rev  s)  =  rev  (tail  s ) 


( Z_shead_slast_sunit ) 
(Z_s tailjsfron t  suni t) 

( Z_shead_staiLsconcat ) 
(Zjslastjsfron  Lsconca  t ) 

( Z_shead_stail_reconstr ) 
(. ZsfrontslastA'econstr ) 
(Z_shead_stail_srev_s  front) 
(Z_slast_sfron  Lsrev ) 
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Name 


1 

r 

squash 


Extraction 

Filtering 

Compaction 


Definition 

U  1  s  =  squash  (U  < is) 
s  l  V  =  squash  (s  >  V) 

squash  f  =  {  x  \  x  €  dom  f  •  #{  i  |  i  e  dom  f  A  <  i  x  }  +  1  i-»  f-x  } 


( Z_sxtract_def ) 
(Z  stiller  def) 
( ssquash_def ) 


Description 

We  can  create  a  sequence  squash  f  from  a  function,  by  translating  its  domain  using  the 
bounded_card  function.  The  inverse  of  this  function  is  used  to  show  monotonicity  of  the 
squash  function  [5,  p  118] [2,  p  109].  Extraction  and  filtering  [5,  p  1 18] [2,  p  109]  arc  defined 
in  the  natural  way. 


Laws 


<>  r  v-  u]  0  =  0 
$  ~  t  [  v  =  (S  r  v)  ~  (t  r  v) 

ran  scVosTV  =  s 
s  [0  =  0]  s  =  () 

<  (#(s  r  V))  (#s) 
sfVfW  =  sf(VnW) 


(Z  sliltcr  sxtmct  sempty) 
( Z_sconcat_shl  ter ) 
(Z_sfi7tcr_ran_redcf) 
( Z_sfilter_empty_sxtract_sempty ) 
( Z-Zcardsfilter ) 
(Z_stil  ter_repea  t) 
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Name 

prefix  -  Prefix  relation 
suffix  -  Suffix  relation 
in  -  Segment  relation 


Definition 

( Z_predx_def ) 
(Z_suffix_def) 
t  (Z_inlix_dcf) 


s  prefix  t  =  3  v  •  v  e  seq  X  A  s  ~  v  =  t 
s  suffix  f  =  3  u  •  u  €  seq  X  A  u~  s  =  t 
s  in  t  =  3  u  v  •  (u  e  seq  X  A  v  e  seq  X)Au~s"v  = 


Description 

Prefix,  suffix  and  infix  [5,  p  119] [2,  p  109,110]  arc  defined  as  type  generic  operators.  The 
extraction  lemmas  discussed  below  arc  not  expressed  as  in  Spivey.  All  three  require  the 
extra  assumption  that  #s  <  #t  to  establish  various  arithmetic  expressions.  This  must  be  an 
unstated  assumption  in  the  definition  of  suffix,  prefix  and  infix  since  if  s  is  larger  than  t  it 
obviously  cannot  be  a  suffix,  prefix  or  infix  of  t  anyway. 

The  infix  extraction  lemma  requires  a  complete  restatement  as  compared  to  the  version  in 
Spivey.  The  original  expression  in  Spivey  is: 

s  in  t  o  (3  n  |  n  e  { l..#t }  •  s  =  { n..n  +  #s}]  t) 

which  is  clearly  wrong  since  #{n..n  +  #s)  >  #s. 


Laws 

s  prefix  t  o  s  =  ( J..#s )  1  t 

( Z_sprehx_sxtract ) 

s  suffix  t  o  s  =  (fit  -  #s  +  l..#t )  1  t 

(Z_ssuffix  extract) 

s  in  t  o  (3  ii  •  n  e  0..#f  -  #s  A  s  =  (n  +  l..n  +  #s)  ]  t) 

( Z_sinfix_sxtract ) 

s  in  t  o  (3  u  •  u  e  seq  Xas  suffix  u  A  u  prefix  t) 

(Z  sin  fix  sp) 

s  in  t  o  (3  v  •  v  6  seq  X  A  s  prefix  v  A  v  suffix  t) 

( Z_sindx_ps ) 
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Relational  operations  on  sequences 

As  in  Spivey  [5,  p  120],  our  definition  of  sequence  makes  it  a  special  type  of  graph,  and  many  previously 
discussed  operators  arc  applicable  to  sequences. 


#(f  o  s)  =  #S 

V  i  •  i  e  l..#s  =>  (f  o  s)-i  =  f-s-i 

f  O  (x)  =  (f-x) 
f  O  s  ~  t  =  (f  O  s)  ~  (f  O  t) 

ran  s  -  { i  \  i  e  l..#s  •  s-i  } 
ran  ( >  =  0 
ran  (x)  =  {x} 

ran  (s'' t)  -  ran  s  U  ran  t 
rev  (f  o  s)  =  f  o  rev  s 

(f  o  S)  r  v  =  f  o  s  r  c f~)m 

ran  (s  [  V)  =  ran  .s  fi  V 


(Z  scq  rcl  comp  /.card ) 
( Z_seq_reLcomp_beta ) 
(Z  scmply  rel  comp) 
(. Z_sunit_rel_comp ) 
(Z  sconcat  rel  comp) 
(. Z_ran_redef ) 
(Z  scmpty  run) 
(. Z_sunit_ran ) 
( Zsconcat-ian-union ) 
( Z_srev_rel_comp ) 
(. Zsfilter-reLcomp ) 
(Z  ran  sfilter  inter) 
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Name 

~/  -  Distributed  concatenation 


Definition 

(sdistrib  sempty) 
( Z_sdistrib_sunit ) 
(Z  sdistrib  scon  cut) 


~/< > 

<S>  =  S 

~/  (s  ^  o  =  c/  S) ~  r/ 1) 


Description 

Distributed  concatenation  [5,  p  121] [2,  p  110]  is  modelled  as  a  type  generic  operator  built 
from  a  recursion  operator.  The  recursion  operator  allows  for  partial  evaluation  of  functions 
over  a  sequence. 


Laws 


(s,t)  =  s~  t 

rev  ("/  q )  =  '7  rev  (grf  rev  o  q) 

~ /  q  I"  V  =  ~/  ((X  s  |  s  e  seq  X  •  s  \  V)  o  q) 

fo~/q  =  ''/((hs\se  seq  X  •  f  o  s)  o  q) 

ran  ("/  q)  =  (U  i  |  i  e  l..#q  •  ran  (q-i))  =  1J  ran  (grf  ran  o  q) 


(Z  sdistrib  sinscrt  seq) 
( Z_srev_sdistrib ) 
(Zsdistrib-sfilter) 
(Z_sdistrib_reLcomp) 
( Zsdistrib-ian ) 
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Name 

disjoint  -  Disjointness 

partition  -  Partitions 

Definition 

disjoint  S  =  V  ij  •  i,j  e  dom  S  A  i  ±  j  =>  S-i  fi  S-j  -  0  (Z  Disjoint  dcf) 

S  partition  T  =  disjoint  S  A  (IJ  i  |  i  e  dom  S  •  S  i)  =  T  ( Z_zpartition_def ) 

Description 

We  define  type  generic  operators  for  disjoint  and  partition  [5,  p  122].  The  disjoint  operator 
was  defined  in  HOL,  we  have  simply  provided  an  alternate  definition  more  in  keeping  with 
the  Z  definition. 


Laws 


disjoint  0 
disjoint  (x) 

disjoint  (A,B)oAnB  =  0 

(A,  B )  partition  CoAnB  =  0AAuB  =  C 


(Z_Disjoint_empty) 
(Z  Disjoint  sunit) 
( Z_Disjoint_sinsert ) 
(Z  partition  sinsert) 
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Induction 

We  provide  three  induction  methods  for  sequences  [5,  p  123].  The  first  involves  an  insertion  at  the  head 
of  a  sequence,  the  second  involves  an  insertion  at  the  end  of  the  sequence  and  the  third  involves  the 
concatenation  of  two  sequences. 

seqJnduct: 


[]s  e  seq  X;  P  ();  /\  xs  x  •  Qxs  6  seq  X;  x  e  X;  P  xs]]  b  P  «x)  ~  xs)J  b  P  s 
seq  rev  induct: 

[[s  e  seq  X;P();/\xsx*  D*s  £  seq  X;  x  e  X:  P  xs]]  b  P  (xs  "  (x»J  b  P  s 
seq_sconcatJnduct: 

Is  e  seq  X;P();/\x*xeX  bP  (x);  /\  s  t  •  |[s  e  seq  X;  t  e  seq  X;  P  s;  P  tj  b  P  (s  ~  t)]]  b  P  s 


54 


DSTO-TR-2272 


3.7  Bags 


Name 


bag 

-  Bags 

tt 

Multiplicity 

0 

Bag  scaling 

binsert 

Bag  insertion 

0 

Empty  bag 

Definition 

bag  X  =  X-bNj 
b  f)  x  =  ((A,  x  •  0)  ©  b)  x 
(n0b)ftx  =  n*bf|x 
binsert  x  b  =  b  ©  {(x,  b  ft  x  +  1)} 

II  =  0 


( bag_def ) 
(Z_bbasb_def) 
(. Z_bscale_def ) 
(binsert  def) 
(i bempty_def ) 


Notation 

We  write  ||xq,  xi,  . . x„l  for  binsert xq  Ixi,  . . xj. 


Description 

Bags  arc  collections  that  may  be  distinguished  by  the  number  of  occurrrences  of  a  member. 
This  makes  them  essentially  natural  number  valued  functions.  Spivey  [5,  p.  124]  introduces 
bags  as  non-zero  valued  functions  from  a  specified  range  set  to  the  natural  numbers. 


Laws 


dom  b  =  {x|bf|xeNi} 

(. Z_dom_bhash ) 

n  0  [  ]  =  0  0  b  =  1 1 

(. ZJnscale-bemptyezero ) 

1  ®b  =  b 

(. Z_unit_scale ) 

(n  *  m)  0  b  =  n  0  m  0  b 

( Z-distscale ) 
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Name 

E  -  Bag  membership 
E  -  Sub-bag  relation 


Definition 

(Z  inbng  del') 
( Z_bag_le_def ) 


x  E  B  =  x  €  dom  B 

8eC  =  V  x  •  x  e  X  =>  <  (B  #  x)  (C  #  x) 


Description 

The  bag  membership  operator  [5,  p.  125]  determines  the  frequency  of  a  particular  element 
is  non-zero. 

The  sub-bag  operator  [5,  p.  125]  is  the  point-wise  lift  of  the  natural  number  order. 


Laws 

xEbo<0(bf|x) 
b  E  c  =>  dom  b  c  dom  c 
IlEb 
b  E  b 

bEcAcEb  =>b  =  c 
bEcAcEd  =>  b  E  d 


(. Z_inbag_bhash ) 
(Z_bagJc_dom) 
(ZJsemptyJbagAe) 
(Z_bng_sclLlc) 
(Z  bag  le  cq) 
( Z_bagJe_trans ) 
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Name 

W  -  Bag  union 
U  -  Bag  difference 


Definition 

(bi+Jc)fjx  =  bftx  +  cf|x  (Z  bunion  def) 

(b  W  c)  ft  x  =  if  <  (c  jt  x)  (b  jt  x)  then  b  j}  x  -  c  jj  x  else  0  fi  ( Z_bdiff_def ) 

Description 

Bag  union  and  bag  difference  [5,  p.  126]  can  be  defined  in  terms  of  arithmetic  on  the  counts. 


Laws 


dom  (b  i+J  c)  =  dom  b  U  dom  c 
ywb=bwy=b 
b  i+J  c  =  c  i+J  b 
bWcWd  =  bl+J(cl+Jd) 

I]Ub  =  IlAbU|]  =  b 
b  i±)  c  U  c  =  b 

(n  +  m)  ®  b  =  n  ®  b  i±)  (m  ®  b) 

<  m  n  =>  (n  -  m)  0  b  =  n  ®  b  W  (m  ®  b) 
n®biiic  =  B8bfei(fl0c) 
n®bUc  =  B®bt)(fl®c) 


( Z_bunion_dom ) 
(Z  bunion  empty) 
( Z_bunion_commute ) 
( Z_bunion_assoc ) 
( Z_bdiff_empty ) 
(Z  bunion  inverse) 
( Z_bscale_union ) 
(Z-bscale-dii f) 
( Z_bunion_distr ) 
(. Z.bdiff.distr ) 
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Name 

items  -  Bag  of  elements  of  a  sequence 

Definition 

(items  s)  fj  x  =  #{  i  |  i  e  dom  s  A  s-i  =  x  j  ( Z_bitems_def ) 

Description 

A  bag  can  be  constructed  by  counting  the  occurrences  of  the  elements  of  a  list  [5,  p.  127]. 


Laws 


dom  (items  s)  =  ran  s  ( Z-bitems-dom ) 

items  ( sinsert  x  s)  =  binsert  x  (items  s)  (Z  bitcms  sinsert) 

items  (s  "  t)  =  items  s  W  items  t  ( Z_bitems_concat ) 

items  s  =  items  t  <=>  ( J  f  •  f  e  dom  s  >-»  dom  t  A  s  =  t  o  f )  (Z  bitcms  pcrmuLilions) 
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